AMD confirms CTS-Labs vulns, promises fixes

AMD has confirmed that the vulnerabilities controversially announced by small security firm CTS-Labs last week are, indeed, genuine, but has downplayed their severity and promised to release firmware patches in the coming weeks.

Previously unheard-of security firm CTS-Labs won considerable column inches last week when it went public with 13 claimed security vulnerabilities affecting AMD's Zen-based processor families just 24 hours after alerting the company privately and at the same time as a major short on AMD's stock was issued. With disagreement in the industry over the core validity and severity of the claimed vulnerabilities, which are known as Ryzenfall, Masterkey, Fallout, and Chimera, all eyes turned to AMD's internal investigation into the matter.

Now, the company has issued its first statement confirming that the vulnerabilities are indeed genuine, though of a considerably lower impact than presented by CTS-Labs in its public announcement and are not, unlike the recent Spectre vulnerability, related to design flaws in the Zen microarchitecture itself. 'The security issues identified by the third-party researchers are not related to the AMD "Zen" CPU architecture or the Google Project Zero exploits made public Jan. 3, 2018,' AMD's Mark Papermaster explains. 'Instead, these issues are associated with the firmware managing the embedded security control processor in some of our products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

'It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings. Any attacker gaining unauthorised administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research. Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorised administrative access that would need to be overcome in order to affect these security issues.'

AMD has confirmed it will be releasing fixes for all four vulnerability families in the coming weeks via firmware updates which will, unfortunately, need to be integrated into updates from each motherboard manufacturer and for each model of motherboard - meaning that it could be some time before all affected products receive the patches. The requirement for full control over the target system, though, means that the flaws are less easy to exploit while unpatched than Spectre or Meltdown before them - though could, potentially, be used in targeted attacks against particular individuals by, for example, intercepting a system at a supplier warehouse or in-transit before it reaches its destination.

None of the patches are expected to have any impact on the performance or functionality of the affected system, Papermaster has claimed.